Kuberenetes Vault Auth Client PoC

kubernetes-vault-auth-client-poc.md

KUBERNETES VAULT CLIENT POC WITH LOCAL VAULT AND MINIKUBE

This is a PoC of the kubernetes-vault-client using an instance of Vault running in -dev mode and local instance of minikube. The kubernetes-vault-client tool is run in an init container and uses Vault kubernetes auth to pull secrets from Vault and dump then into a volume that can be mounted in any container in a pod, preferably as an emptyDir with media: Memory. It is meant to be run on a laptop and is used to demonstrate the various configurations necessary to get it working.

Table of Contents

• OPTIONAL: Install & Start Minikube
• OPTIONAL: Install & Start Vault Server
• OPTIONAL: Create Policy for Humans & Secret Namespace
• OPTIONAL: Create Secret

0. Pepare Environment
1. Configure Kubernetes Auth Backend

OPTIONAL: Install & Start Minikube

If you do not have access to a kubernetes cluster, click here for instructions on how to install minikube.

OPTIONAL: Install & Start Vault Server

If you do not have access to a Vault server, click here to download Vault for your operating system and use the following command to start Vault on you laptop or dekstop:

$ vault server -dev -dev-listen-address="0.0.0.0:8200"

OPTIONAL: Create Policy for Humans & Secret Namespace

OPTIONAL: Create Secret

0. Prepare Environment

$ export VAULT_ADDR=__CHANGEME__
$ export KUBE_CA_CERT_PATH=__CHANGEME__

1. Configure Kubernetes Auth Backend

Enable the kubernetes auth backend

$ vault auth enable kubernetes

Configure the Kubernetes Auth Backend

$ vault write auth/kubernetes/config \
    token_reviewer_jwt="$default_token_value" \
    kubernetes_host=https://192.168.99.101:8443 \
    kubernetes_ca_cert=@$minikube_ca_cert_path